Today, access control is one of the critical concerns in computer networks and services. Various methods have been developed for control of access to various resources and services; usually these methods include implementation of one or more security or other access policies, combinations and hierarchies thereof. Typically, an access policy implemented in a respective rule-set includes control of inbound and outbound traffic related to certain resources. Such control is enforced with the help of one or more access-control gateways, which can comprise various devices and/or combinations thereof (e.g. switches, routers, firewalls, VPN devices, load balancers, web proxies, etc.).
However, managing connectivity requests in a framework of implemented access control rule-set(s) presents an increasing challenge to security departments worldwide. The problems of handling connectivity requests have been recognized in the Prior Art and various systems have been developed to provide a solution, as for example:
US Application No. 2012/192246 (Harrison) discloses a system capable of automated mapping between a connectivity request and an ordered security rule-set and a method of operating thereof. The system includes an interface operable to obtain data characterizing at least one connectivity request; a module for automated recognizing at least one rule within the rule-set, the rule controlling traffic requested in the at least one connectivity request, wherein the recognizing is provided by comparing a set of combinations specified in the connectivity request with a set of combinations specified in the rule and matching connectivity-related actions specified in the connectivity request; a module for automated evaluating relationship between traffic controlled by the recognized at least one rule and traffic requested in the at least one connectivity request; and a module for automated classifying, in accordance with evaluation results, the at least one connectivity request with respect to the at least one rule and/or vice versa.
US Patent Application No. 2008/282314 (Abzarian et al.) discloses a firewall helping a user make a decision regarding network access for an application executing on a computing device by providing “hints” to the user about an appropriate network access policy. If at least one previously set firewall policy for the application exists in a context different from a current context, the user may be presented with information based on a previously set firewall policy. The information may be prioritized based on a source of the previously set firewall policy and other factors, to provide the user with a hint that facilitates making the decision appropriate in the current context. A programming interface to the firewall allows third party applications to specify a format in which hints are provided to the user.
US Patent Application No. 2005/005165 (Morgan et al.) discloses a method for a firewall-aware application to communicate its expectations to a firewall without requiring the firewall to change its policy or compromise network security. An application API is provided for applications to inform a firewall or firewalls of the application's needs, and a firewall API is provided that informs the firewall or firewalls of the application's needs. An interception module watches for connect and listen attempts by applications and services to the network stack on the local computer. The interception module traps these attempts and determines what user is making the attempt, what application or service is making the attempt, and conducts a firewall policy look-up to determine whether the user and/or application or service are allowed to connect to the network. If so, the interception module may instruct the host and/or edge firewall to configure itself for the connection being requested.
US Patent Application No. 2003/212657 (Lu et al.) discloses an extensible rules engine that uses database technology that provides a rules evaluation service for applications external to the database server or database management system. Applications are able to utilize the rules engine to provide alternative behaviors based on information against which specified conditions are evaluated. A framework is provided for specifying data definitions that can be referenced by user-defined rules, through creation and use of an evaluation context. Application-specific data types can be defined by specifying data tables and/or variables that can be referenced by rules created for evaluation against data that is associated with the evaluation context.